thr3ads.net - Shorewall users - [Shorewall-users] Preventing HTTPS connections [May 2003]

If this information is useful, please help other people find it:
Share via:

tqbfjotld

2003-May-30 02:14 UTC

[Shorewall-users] Preventing HTTPS connections

Hello,

I am using Shorewall version 1.4.14 on a Mandrake 9.1 box.
I use Apache 2.0 and I configured shorewall with One Interface 
configuration over
a DSL connection.

I want to prevent people from connecting to 443 port or ignore it.

I added the following rule in /etc/shorewall/rules to ignore connection 
on port 443.

DROP            net     fw      tcp     https

Then I restarted shorewall with shorewall restart.

(According to nmap, port 443/tcp is open on my box.)

When I connect to https://mybox, I can access to the page stored in 
Apache althrough
I thought shorewall would prevent from it.

What am I doing wrong ?

Can anyone help ?

Regards.

Tom Eastep

2003-May-30 06:32 UTC

head link

[Shorewall-users] Preventing HTTPS connections

On Fri, 30 May 2003 07:18:09 -0400, tqbfjotld <tqbfjotld@free.fr> wrote:
> Hello,
>
> I am using Shorewall version 1.4.14 on a Mandrake 9.1 box.
Since the latest release is 1.4.4b, that must be a typing error.
> I use Apache 2.0 and I configured shorewall with One Interface 
> configuration over
> a DSL connection.
>
> I want to prevent people from connecting to 443 port or ignore it.
>
> I added the following rule in /etc/shorewall/rules to ignore connection 
> on port 443.
>
> DROP            net     fw      tcp     https
>
> Then I restarted shorewall with shorewall restart.
>
> (According to nmap, port 443/tcp is open on my box.)
>
> When I connect to https://mybox, I can access to the page stored in 
> Apache althrough
> I thought shorewall would prevent from it.
>
Please set the output of "shorewall status" as described at 
http://www.shorewall.net/support.htm.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

tqbfjotld

2003-May-30 07:36 UTC

head link

[Shorewall-users] Preventing HTTPS connections

Of course, this is a typing error.
Sorry.
Please read :

shorewall version 1.3.14.

My /etc/shorewall/rules has the following lines

ACCEPT       net      fw      tcp    80
DROP            net     fw      tcp     https

----- Original Message -----
From: "Tom Eastep" <teastep@shorewall.net>
To: "tqbfjotld" <tqbfjotld@free.fr>;
<shorewall-users@lists.shorewall.net>
Sent: Friday, May 30, 2003 3:32 PM
Subject: Re: [Shorewall-users] Preventing HTTPS connections

> On Fri, 30 May 2003 07:18:09 -0400, tqbfjotld <tqbfjotld@free.fr>
wrote:
>
> > Hello,
> >
> > I am using Shorewall version 1.4.14 on a Mandrake 9.1 box.
>
> Since the latest release is 1.4.4b, that must be a typing error.
>
> > I use Apache 2.0 and I configured shorewall with One Interface
> > configuration over
> > a DSL connection.
> >
> > I want to prevent people from connecting to 443 port or ignore it.
> >
> > I added the following rule in /etc/shorewall/rules to ignore
connection
> > on port 443.
> >
> > DROP            net     fw      tcp     https
> >
> > Then I restarted shorewall with shorewall restart.
> >
> > (According to nmap, port 443/tcp is open on my box.)
> >
> > When I connect to https://mybox, I can access to the page stored in
> > Apache althrough
> > I thought shorewall would prevent from it.
> >
>
> Please set the output of "shorewall status" as described at
> http://www.shorewall.net/support.htm.
>
> -Tom
> --
> Tom Eastep    \ Shorewall - iptables made easy
> Shoreline,     \ http://www.shorewall.net
> Washington USA  \ teastep@shorewall.net
>
>

Tom Eastep

2003-May-30 08:16 UTC

head link

[Shorewall-users] Preventing HTTPS connections

On Fri, 30 May 2003 16:39:59 +0200, tqbfjotld <tqbfjotld@free.fr> wrote:
> Of course, this is a typing error.
> Sorry.
> Please read :
>
> shorewall version 1.3.14.
>
> My /etc/shorewall/rules has the following lines
>
> ACCEPT       net      fw      tcp    80
> DROP            net     fw      tcp     https
>
I don''t see the "shorewall status" output that I requested.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

tqbfjotld

2003-May-30 08:55 UTC

head link

[Shorewall-users] Preventing HTTPS connections

Tom Eastep wrote:
> On Fri, 30 May 2003 16:39:59 +0200, tqbfjotld <tqbfjotld@free.fr>
wrote:
>
>> Of course, this is a typing error.
>> Sorry.
>> Please read :
>>
>> shorewall version 1.3.14.
>>
>> My /etc/shorewall/rules has the following lines
>>
>> ACCEPT       net      fw      tcp    80
>> DROP            net     fw      tcp     https
>>
>
> I don''t see the "shorewall status" output that I
requested.
>
> -Tom 

Here it is :

[H[2JShorewall-1.3.14 Status at localhost - Fri May 30 13:55:40 EDT 2003

Counters reset Fri May 30 13:29:56 EDT 2003

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        
 6671  286K ACCEPT     all  --  lo     *       0.0.0.0/0            
0.0.0.0/0         
  470  156K ppp0_in    all  --  ppp0   *       0.0.0.0/0            
0.0.0.0/0         
    0     0 common     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         
    0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 ppp0_fwd   all  --  ppp0   *       0.0.0.0/0            
0.0.0.0/0         
    0     0 common     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         
    0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        
 6671  286K ACCEPT     all  --  *      lo      0.0.0.0/0            
0.0.0.0/0         
    4   424 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0         
  378 39926 fw2net     all  --  *      ppp0    0.0.0.0/0            
0.0.0.0/0         
    4   596 common     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         
    4   596 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain all2all (0 references)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
    0     0 common     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         
    0     0 reject     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain common (5 references)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 icmpdef    icmp --  *      *       0.0.0.0/0            
0.0.0.0/0         
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          state INVALID
    4   312 REJECT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0          udp dpts:137:139 reject-with icmp-port-unreachable
    0     0 REJECT     udp  --  *      *       0.0.0.0/0            
0.0.0.0/0          udp dpt:445 reject-with icmp-port-unreachable
    0     0 reject     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp dpt:135
    0     0 DROP       udp  --  *      *       0.0.0.0/0            
0.0.0.0/0          udp dpt:1900
    0     0 DROP       all  --  *      *       0.0.0.0/0            
255.255.255.255   
    0     0 DROP       all  --  *      *       0.0.0.0/0            
224.0.0.0/4       
    0     0 reject     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp dpt:113

Chain dynamic (2 references)
 pkts bytes target     prot opt in     out     source               
destination        

Chain fw2net (1 references)
 pkts bytes target     prot opt in     out     source               
destination        
  318 36492 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0          state RELATED,ESTABLISHED
    9   360 newnotsyn  tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
   51  3074 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain icmpdef (1 references)
 pkts bytes target     prot opt in     out     source               
destination        

Chain net2all (1 references)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0          state RELATED,ESTABLISHED
    0     0 newnotsyn  tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
  134  6896 common     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         
  130  6584 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain net2fw (1 references)
 pkts bytes target     prot opt in     out     source               
destination        
  332  149K ACCEPT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0          state RELATED,ESTABLISHED
    4   160 newnotsyn  tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          state NEW tcp flags:!0x16/0x02
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          state NEW tcp dpt:80
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            
0.0.0.0/0          icmp type 8
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          state NEW tcp dpt:443
    0     0 DROP       udp  --  *      *       0.0.0.0/0            
0.0.0.0/0          state NEW udp dpt:443
  134  6896 net2all    all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain newnotsyn (4 references)
 pkts bytes target     prot opt in     out     source               
destination        
   13   520 DROP       all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain ppp0_fwd (1 references)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain ppp0_in (1 references)
 pkts bytes target     prot opt in     out     source               
destination        
  470  156K dynamic    all  --  *      *       0.0.0.0/0            
0.0.0.0/0         
  470  156K net2fw     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain reject (6 references)
 pkts bytes target     prot opt in     out     source               
destination        
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          reject-with tcp-reset
    4   596 REJECT     all  --  *      *       0.0.0.0/0            
0.0.0.0/0          reject-with icmp-port-unreachable

Chain shorewall (0 references)
 pkts bytes target     prot opt in     out     source               
destination        

May 29 15:31:00 OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.60.30 
DST=192.168.60.255 LEN=149 TOS=0x00 PREC=0x00 TTL=64 ID=42601 DF 
PROTO=UDP SPT=631 DPT=631 LEN=129
May 29 15:31:12 net2all:DROP:IN=ppp0 OUT= SRC=62.233.185.30 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=3347 DF PROTO=TCP 
SPT=1228 DPT=2934 WINDOW=16384 RES=0x00 SYN URGP=0
May 29 15:31:15 net2all:DROP:IN=ppp0 OUT= SRC=62.233.185.30 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=3367 DF PROTO=TCP 
SPT=1228 DPT=2934 WINDOW=16384 RES=0x00 SYN URGP=0
May 29 15:31:21 net2all:DROP:IN=ppp0 OUT= SRC=62.233.185.30 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=3459 DF PROTO=TCP 
SPT=1228 DPT=2934 WINDOW=16384 RES=0x00 SYN URGP=0
May 29 15:31:27 net2all:DROP:IN=ppp0 OUT= SRC=192.38.74.200 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=62489 DF 
PROTO=TCP SPT=9399 DPT=1343 WINDOW=64240 RES=0x00 SYN URGP=0
May 29 15:31:29 net2all:DROP:IN=ppp0 OUT= SRC=203.122.12.3 
DST=82.64.196.120 LEN=44 TOS=0x00 PREC=0x00 TTL=110 ID=64773 DF 
PROTO=TCP SPT=1251 DPT=2934 WINDOW=8192 RES=0x00 SYN URGP=0
May 29 15:31:30 net2all:DROP:IN=ppp0 OUT= SRC=192.38.74.200 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=62652 DF 
PROTO=TCP SPT=9399 DPT=1343 WINDOW=64240 RES=0x00 SYN URGP=0
May 29 15:31:31 OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.60.30 
DST=192.168.60.255 LEN=149 TOS=0x00 PREC=0x00 TTL=64 ID=56630 DF 
PROTO=UDP SPT=631 DPT=631 LEN=129
May 29 15:31:32 net2all:DROP:IN=ppp0 OUT= SRC=203.122.12.3 
DST=82.64.196.120 LEN=44 TOS=0x00 PREC=0x00 TTL=110 ID=4102 DF PROTO=TCP 
SPT=1251 DPT=2934 WINDOW=8192 RES=0x00 SYN URGP=0
May 29 15:31:33 net2all:DROP:IN=ppp0 OUT= SRC=192.146.136.129 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=53850 DF 
PROTO=TCP SPT=64381 DPT=1343 WINDOW=64240 RES=0x00 SYN URGP=0
May 29 15:31:36 net2all:DROP:IN=ppp0 OUT= SRC=192.146.136.129 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=53855 DF 
PROTO=TCP SPT=64381 DPT=1343 WINDOW=64240 RES=0x00 SYN URGP=0
May 29 15:31:36 net2all:DROP:IN=ppp0 OUT= SRC=192.38.74.200 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=63037 DF 
PROTO=TCP SPT=9399 DPT=1343 WINDOW=64240 RES=0x00 SYN URGP=0
May 29 15:31:42 net2all:DROP:IN=ppp0 OUT= SRC=192.146.136.129 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=113 ID=53875 DF 
PROTO=TCP SPT=64381 DPT=1343 WINDOW=64240 RES=0x00 SYN URGP=0
May 29 15:32:02 OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.60.30 
DST=192.168.60.255 LEN=149 TOS=0x00 PREC=0x00 TTL=64 ID=56586 DF 
PROTO=UDP SPT=631 DPT=631 LEN=129
May 29 15:32:06 net2all:DROP:IN=ppp0 OUT= SRC=213.33.6.145 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=4836 DF PROTO=TCP 
SPT=1317 DPT=2232 WINDOW=32768 RES=0x00 SYN URGP=0
May 29 15:32:08 net2all:DROP:IN=ppp0 OUT= SRC=213.33.6.145 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=4853 DF PROTO=TCP 
SPT=1317 DPT=2232 WINDOW=32768 RES=0x00 SYN URGP=0
May 29 15:32:14 net2all:DROP:IN=ppp0 OUT= SRC=213.33.6.145 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=116 ID=4876 DF PROTO=TCP 
SPT=1317 DPT=2232 WINDOW=32768 RES=0x00 SYN URGP=0
May 29 15:32:33 OUTPUT:REJECT:IN= OUT=eth0 SRC=192.168.60.30 
DST=192.168.60.255 LEN=149 TOS=0x00 PREC=0x00 TTL=64 ID=65067 DF 
PROTO=UDP SPT=631 DPT=631 LEN=129
May 29 15:32:53 net2all:DROP:IN=ppp0 OUT= SRC=69.0.17.108 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=63864 DF 
PROTO=TCP SPT=4116 DPT=2934 WINDOW=8192 RES=0x00 SYN URGP=0
May 29 15:32:56 net2all:DROP:IN=ppp0 OUT= SRC=69.0.17.108 
DST=82.64.196.120 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=12409 DF 
PROTO=TCP SPT=4116 DPT=2934 WINDOW=8192 RES=0x00 SYN URGP=0

NAT Table

Chain PREROUTING (policy ACCEPT 139 packets, 7104 bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain POSTROUTING (policy ACCEPT 6586 packets, 265K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain OUTPUT (policy ACCEPT 6599 packets, 266K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Mangle Table

Chain PREROUTING (policy ACCEPT 7142 packets, 442K bytes)
 pkts bytes target     prot opt in     out     source               
destination        
 7142  442K pretos     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain INPUT (policy ACCEPT 7142 packets, 442K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain OUTPUT (policy ACCEPT 7057 packets, 326K bytes)
 pkts bytes target     prot opt in     out     source               
destination        
 7057  326K outtos     all  --  *      *       0.0.0.0/0            
0.0.0.0/0         

Chain POSTROUTING (policy ACCEPT 7044 packets, 326K bytes)
 pkts bytes target     prot opt in     out     source               
destination        

Chain outtos (1 references)
 pkts bytes target     prot opt in     out     source               
destination        
   32  1656 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp dpt:22 TOS set 0x10
   20  2811 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp spt:22 TOS set 0x10
    2    80 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp dpt:21 TOS set 0x10
    2    80 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp spt:21 TOS set 0x10
    2    80 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp spt:20 TOS set 0x08
    2    80 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp dpt:20 TOS set 0x08

Chain pretos (1 references)
 pkts bytes target     prot opt in     out     source               
destination        
   32  1656 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp dpt:22 TOS set 0x10
   20  2811 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp spt:22 TOS set 0x10
    2    80 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp dpt:21 TOS set 0x10
    2    80 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp spt:21 TOS set 0x10
    2    80 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp spt:20 TOS set 0x08
    2    80 TOS        tcp  --  *      *       0.0.0.0/0            
0.0.0.0/0          tcp dpt:20 TOS set 0x08

tcp      6 430732 ESTABLISHED src=127.0.0.1 dst=82.64.104.57 sport=61896 
dport=80 [UNREPLIED] src=82.64.104.57 dst=127.0.0.1 sport=80 dport=61896 
use=1
tcp      6 82 TIME_WAIT src=82.64.104.57 dst=216.239.37.99 sport=41080 
dport=80 src=216.239.37.99 dst=82.64.104.57 sport=80 dport=41080 
[ASSURED] use=1
tcp      6 43 TIME_WAIT src=82.64.104.57 dst=213.228.0.165 sport=42344 
dport=110 src=213.228.0.165 dst=82.64.104.57 sport=110 dport=42344 
[ASSURED] use=1
tcp      6 79 TIME_WAIT src=127.0.0.1 dst=127.0.0.1 sport=38287 dport=22 
src=127.0.0.1 dst=127.0.0.1 sport=22 dport=38287 [ASSURED] use=1
tcp      6 431067 ESTABLISHED src=127.0.0.1 dst=82.64.104.57 sport=49523 
dport=80 [UNREPLIED] src=82.64.104.57 dst=127.0.0.1 sport=80 dport=49523 
use=1
udp      17 136 src=82.64.104.57 dst=212.27.32.176 sport=32768 dport=53 
src=212.27.32.176 dst=82.64.104.57 sport=53 dport=32768 [ASSURED] use=1
tcp      6 69 TIME_WAIT src=82.64.104.57 dst=216.239.37.99 sport=37829 
dport=80 src=216.239.37.99 dst=82.64.104.57 sport=80 dport=37829 
[ASSURED] use=1

Tom Eastep

2003-May-30 12:19 UTC

head link

[Shorewall-users] Preventing HTTPS connections

On Fri, 30 May 2003 15:08:28 -0400, tqbfjotld <tqbfjotld@free.fr> wrote:
>
> tcp      6 54 CLOSE_WAIT src=82.64.104.57 dst=82.64.104.57 sport=35366 
> dport=443
I''m going to ask you ONE MORE TIME -- WHERE ARE YOU TRYING TO CONNECT
FROM
(where is your browser running)? I ask because the connection tracking 
entry above shows that you are connecting from 82.65.104.57 to 
82.65.104.57. This is a fw->fw connection, not a net->fw connection. YOU 
CANNOT RESTRICT FW->FW CONNECTIONS USING SHOREWALL (people are able to 
easliy shoot themselves in the foot without me providing them with that 
cannon).

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://www.shorewall.net
Washington USA  \ teastep@shorewall.net

Shorewall users - May 2003 - Preventing HTTPS connections

[Shorewall-users] Preventing HTTPS connections

[Shorewall-users] Preventing HTTPS connections

[Shorewall-users] Preventing HTTPS connections

[Shorewall-users] Preventing HTTPS connections

[Shorewall-users] Preventing HTTPS connections

[Shorewall-users] Preventing HTTPS connections